waroptionlist.cpp

ftpserver very good sample

#include "StdAfx.h"
#include "WarOptionList.h"   // class implemented

#ifndef WAR_LOG
#   include "WarLog.h"
#endif

/////////////////////////////// PUBLIC ///////////////////////////////////////

WarOptionList *WarOptionList::mspGlobalOptions;
const WarOptionList::options_def_t WarOptionList::spStandardOptions[] = 
{
    {"ftpd_DOPORT", WarOption::OL_SITE, "1", WarOption::OT_BOOL, "Enables the PORT command (normal FTP transfers), where the server connects to the client in order to transfer files."},
    {"ftpd_DOPASV", WarOption::OL_SITE, "1", WarOption::OT_BOOL, "Enables the PASV command (passive FTP transfers), where the clients connect to the server in order to transfer files."},
    {"ftpd_DOPRIVPORT", WarOption::OL_SITE, "0", WarOption::OT_BOOL, "Allow PORT connections to privileged ports (%lt; 1024)."},
    {"ftpd_STRICTREPLY", WarOption::OL_SITE, "0", WarOption::OT_BOOL, "Enforce reply codes to confirm with the listing in RFC 959 section 5.4"},
    {"ftpd_DATABUFCNT", WarOption::OL_SITE, "16", WarOption::OT_INT, "Number of data buffers used by each file transfer. Under NT, the server will issue pending IO calls for all these buffers to achieve the maximum performance."},
    {"ftpd_DATABUFSIZE", WarOption::OL_SITE, "4096", WarOption::OT_INT, "The size of each IO buffer. The optimal size will depend on the file-buffer size used by the operating system. The size of this buffer is significant in regards of efficient troughput. Under Windows 2000, the transfer speed can vary 800% from a buffer size at 512 bytes to a buffer size at 8192, where 4096 seems to give the best performance on my system."},
    {"ftpd_DATABUFSEGMENTS", WarOption::OL_SITE, "1", WarOption::OT_INT, "The databuffers will normally be passed between the file IO system and the network socket interface. If the file IO system require larger buffers than the network socket system can handle, each buffer can be presented for the network sockets as several individual buffers. This option decides how many individual buffers the socket system will see. Unless you know what you are doing, use the default value!"},
    {"ftpd_RECURSIVE", WarOption::OL_SITE, "1", WarOption::OT_BOOL, "Allow recursive dir-listings. Recursive directory listings takes significant system resources, and may be used to stall the sever by an attacker. Most servers will however allow recursive listings, as lots of FTP utilities (like replication tools) depend on this."},
    {"ftpd_STOUNAME", WarOption::OL_SITE, "ftpd-stou", WarOption::OT_STRING, "Default prefix ofr automatically generated filenames."},
    {"ftpd_ALLOWSTOU", WarOption::OL_SITE, "1", WarOption::OT_BOOL, "Allow STOU command"},
    {"ftpd_ALLOWASCIIRESTART", WarOption::OL_SITE, "1", WarOption::OT_BOOL, "Allow REST command on ASCII files (potential DoS)"},
    {"ftpd_STELTHSYST", WarOption::OL_SITE, "0", WarOption::OT_BOOL, "Don't disclose software or version. This is a primitive security method some server operators wants in order to secure their systems. The method will in most sistations only give a false sense of security, as any FTP probing tool will be able to discover the software used by looking at reply codes, texts and other caracteristic features for the servers. Hiding the version will also not prevent anyone from trying different known FTP vulnerabilities."},
    {"ftpd_NOOP", WarOption::OL_SITE, "1", WarOption::OT_BOOL, "Reset the idle-timer also for the noop command."},
    {"ftpd_SIZEMAXASCII", WarOption::OL_SITE, "32768", WarOption::OT_INT, "Max physical file-size to map to ascii-length with the SIZE command. Binary file sizes are fetched from the file-system and don't represend any significant overhead on the server. ASCII files, on the other hand, must be parsed each time they are queried, and the length calculated from the number of line-breaks found. Issuing SIZE commands on large files when in ASCII mode will therefore be an invitation to lame DoS attacks. This option efficiently prevents this, by defining a max size of the files that will be handled correctly in ASCII mode."},
    {"ftpd_IDLETIME", WarOption::OL_SITE, "900", WarOption::OT_INT, "Idle time for a FTP connection in seconds. If nothing goes on on the connection for this duration, the connection is closed. The idle-time feature was originally put into the FTP protocol specification to handle dead connections (TCP connections that is broken in one end, and where the other end - the FTP server, still believes that the connection is open). The NOOP command is intended to be used by FTP client programs to notify the server that it is still there, when no action is taken. Lately, the idle-times have been used by FTP server operators to kill idle users. As a result, FTP clients have begun to send random commands to confuse servers that dont reset the idle-timer when the NOOP command is received. This is not a good thing, and FTP server operators are encouraged to use the idle-timer for its original intention. If the value is less than 10 (seconds), the option is ignored and the idle."},
    {"ftpd_DATATIMEOUT", WarOption::OL_SITE, "120", WarOption::OT_INT, "The FTP data connection will time out and abort after # seconds."},
    {"ftpd_BINDDATA", WarOption::OL_SITE, "-1", WarOption::OT_INT, "The port the FTP server binds active (PORT command) data connections to. Use 20 for RFC959 compilace, -1 for one below the FTP control connection port, an exact number or 0 for random numbers. This option affects how firewalls will handle the server."},
    {"ftpd_PASVRANGE", WarOption::OL_SITE, "", WarOption::OT_STRING, "A range in the format #-# which specifies the port-range that will be used for passive data connections by the server. This option can help some routers and firewalls to route traffic to the FTP server. A legal value can be \"7000-8000\", which gives a spawn of 1000 ports for data connections."},
    {"ftpd_CPSOUTSAMPLEDELAY", WarOption::OL_SITE, "1000", WarOption::OT_INT, "Delay in milliseconds between samples in the measuring of the transfer speed."},
    {"ftpd_CPSOUTHOLDDELAY", WarOption::OL_SITE, "500", WarOption::OT_INT, "An extra delay between the time the CPS is computed to be accurate, and the time the transfer is resumed."},
    {"ftpd_CPSOUTMINCNT", WarOption::OL_SITE, "2", WarOption::OT_INT, "Minimum saples to get before CPS can be calculated. The CPS is measured as the bytes transfer from the first to the last sample. When new samples are added, and the number exeeds this limit, the first sample in the list is trashed."},
    {"ftpd_CPSOUTMAXCNT", WarOption::OL_SITE, "5", WarOption::OT_INT, "Max samples to use to calculate the CPS."},
    {"ftpd_CPSOUTMINCPS", WarOption::OL_SITE, "0", WarOption::OT_INT, "The minimum CPS to allow. The minimum is never applied before the sample-list is full (contains ftpd_CPSOUTMAXCNT items). Transfers that goes below this limit are aborted, and the user logged off. 0 = disabled."},
    {"ftpd_CPSOUTMAXCPS", WarOption::OL_SITE, "0", WarOption::OT_INT, "The maximum CPS to use on a transfer. If the transfer rate exeeds this limit, the transfer is put on hold until the transfer rate is below this limit. 0 = disabled"},
    {"ftpd_CPSINSAMPLEDELAY", WarOption::OL_SITE, "1000", WarOption::OT_INT, "Delay in milliseconds between samples in the measuring of the transfer speed."},
    {"ftpd_CPSINHOLDDELAY", WarOption::OL_SITE, "500", WarOption::OT_INT, "An extra delay between the time the CPS is computed to be accurate, and the time the transfer is resumed."},
    {"ftpd_CPSINMINCNT", WarOption::OL_SITE, "5", WarOption::OT_INT, "Minimum saples to get before CPS can be calculated. The CPS is measured as the bytes transfer from the first to the last sample. When new samples are added, and the number exeeds this limit, the first sample in the list is trashed."},
    {"ftpd_CPSINMAXCNT", WarOption::OL_SITE, "15", WarOption::OT_INT, "Max samples to use to calculate the CPS."},
    {"ftpd_CPSINMINCPS", WarOption::OL_SITE, "0", WarOption::OT_INT, "The minimum CPS to allow. The minimum is never applied before the sample-list is full (contains ftpd_CPSINMAXCNT items). Transfers that goes below this limit are aborted, and the user logged off. 0 = disabled."},
    {"ftpd_CPSINMAXCPS", WarOption::OL_SITE, "0", WarOption::OT_INT, "The maximum CPS to use on a transfer. If the transfer rate exeeds this limit, the transfer is put on hold until the transfer rate is below this limit. 0 = disabled"},
    {"ftpd_ANONUSERS", WarOption::OL_SITE, "anonymous;ftp", WarOption::OT_STRING, "A semicolon-seperated list of names to interperet as anonymous users."},
    {"ftpd_TEXTFILES", WarOption::OL_SITE, "./msgs", WarOption::OT_STRING, "The location where the server will look for welcome message files."},
    {"ftpd_DIRMSG", WarOption::OL_SITE, "message.ftp.txt", WarOption::OT_STRING, "Default directory change message file. (filename)."},
    {"ftpd_EMAIL", WarOption::OL_SITE, "father-ftp@nospam", WarOption::OT_STRING, "Email address to the FTP site administrator."},
    {"ftpd_ANOSN", WarOption::OL_SITE, "UNIX", WarOption::OT_STRING, "Official Operating System Name from Assigned Numbers (RFC 1700). This is the os-name reported by the SYST command. As most FTP clients relay on the UNIX response to this command, this option should normally not be changed."},
#if WAR_RFC2577
    {"ftpd_ALLOWFTPPROXY", WarOption::OL_SITE, "0", WarOption::OT_BOOL, "Allow FTP Proxy (server to server transfer). This feature opens for all kinds of exiting security problems and should be left off, unless you really need it. See RFC 2577 for an explanation of some the potential problems."},
#endif
#if WAR_RFC2068
    // HTTP options
    {"http_MAXHDRLEN", WarOption::OL_SITE, "16384", WarOption::OT_INT, "Max header length for HTTP requests. This value should be large enough to cover all valid HTTP request headers. If a HTTP header exeeds this length, the event will be treated as a potential security problem (cracking attempt) by the server."},
#endif // #if WAR_RFC2068

    // General server options
    {"core_TMPDIR", WarOption::OL_SERVER, "./temp", WarOption::OT_STRING, "If set, the server will use this directory for temporary files, if the environemnt variable TMP is unset. If TMP is unset, and this option blank, a system default temporary directoty or the servers current working directory will be used."},
    {"svr_NOHOSTLOOKUP", WarOption::OL_SERVER, "0", WarOption::OT_BOOL, "Supress host lookup for local address"},
    {"svr_REGSHTDWNTIMER", WarOption::OL_SERVER, "2500", WarOption::OT_INT, "[Windows only] The interval (in seconds) in wich the registry value \"Shutdown Pending\" is polled for a shutdown condition (non-zero value)."},
    {"svr_MAXOWNUPLOADFILES", WarOption::OL_SERVER, "500", WarOption::OT_INT, "Max files to store in the list over files uploaded by the user. In anideal world, this number should be unlimited - but allowing too many files in the list can eat up memory and cause the server to slow down. So we need a limit to prevent abuse. When the list is full, new files will not be added."},
    {"svr_MAXLOGINTRIES", WarOption::OL_SITE, "3", WarOption::OT_INT, "Max (failed) login attempts before the connection is closed."},
    {"svr_BADLOGINHISTTIME", WarOption::OL_SERVER, "2400", WarOption::OT_INT, "Number of minutes to remember a host (IP) that failed to authenticate. Used with svr_MAXHOSTLOGINTRIES to detect and prevent brute-force password attacks."},
    {"svr_MAXHOSTLOGINTRIES", WarOption::OL_SITE, "25", WarOption::OT_INT, "Max number of failed login attempts that are accepted withing the timeframe of svr_BADLOGINHISTTIME, before the host (IP) is shitlisted."},
    {"svr_MAXSITECONN", WarOption::OL_SITE, "255", WarOption::OT_INT, "Max number of concurrent connections to the current site (virtual host)."},
    {"svr_MAXTOTALCONN", WarOption::OL_SERVER, "500", WarOption::OT_INT, "The maximum total number of connections allowed to the server"},
    {"svr_MAXHOSTCONN", WarOption::OL_SITE, "50", WarOption::OT_INT, "Maximum number of connections to a site from one host. Note that many ISP's use private network addresses for their customers, so that thousands of machines can appear to come from the same host."},
    {"svr_MAXANONCONN", WarOption::OL_SITE, "50", WarOption::OT_INT, "Max number of concurrent connections from the anonymous user to the current site."},

    // User-level options
    {"user_HOME", WarOption::OL_USER, "/", WarOption::OT_STRING, "Specifies the users home directory, when loggin on to a server. Most FTP clients will CD to a directory after login - but some applications (like some WWW authoring tools) depends on a home directory handled by the server."},
    {"user_MAXSITECONN", WarOption::OL_USER, "4", WarOption::OT_INT, "Max number of concurrent connections from this user to the current site."},
    
    {NULL, WarOption::OL_SERVER, NULL, WarOption::OT_INVALID, NULL}
};

//============================= LIFECYCLE ====================================
//============================= OPERATORS ====================================

WarOptionList& WarOptionList::operator += (const WarOptionList& from)
{
    for(WarOptionList::const_iterator P = from.begin()
        ; P != from.end()
        ; ++P)
    {
#ifdef DEBUG
		const std::string optname = P->first;
		const WarOption& opt = P->second;
#endif
        insert(*P);
    }

    return *this;
}

//============================= OPERATIONS ===================================


WarOptionList& WarOptionList::GetGlobalOptions()
{
    if (!mspGlobalOptions)
    {
        mspGlobalOptions = new WarOptionList;
    }
    
    return *mspGlobalOptions;
}


//============================= ACCESS     ===================================


std::string WarOptionList::GetOption(const std::string& name) const 
throw(WarException)
{
    war_option_map_t::const_iterator P = find(name);
    if (P == end())
    {
        WarLog db_log(WARLOG_DEBUG, "WarOptionList::GetOption()");
        if (db_log)
        {
            db_log << "Could not find option: \""
                << name
                << "\"."
                << war_endl;
        }

        WarThrow(WarError(WAR_ERR_OBJECT_NOT_FOUND), NULL);
    }
    return P->second.GetValue();
}

int WarOptionList::GetIntOption(const std::string& name) const 
throw(WarException)
{
    war_option_map_t::const_iterator P = find(name);
    if (P == end())
    {
        WarLog db_log(WARLOG_DEBUG, "WarOptionList::GetIntOption()");
        if (db_log)
        {
            db_log << "Could not find option: \""
                << name
                << "\"."
                << war_endl;
        }
        WarThrow(WarError(WAR_ERR_OBJECT_NOT_FOUND), NULL);
    }
    return P->second.GetIntValue();
}


//============================= INQUIRY    ===================================

/////////////////////////////// PROTECTED  ///////////////////////////////////

/////////////////////////////// PRIVATE    ///////////////////////////////////